IBM Support

QRadar: Aggregated Data Limit Has Been Reached

Troubleshooting


Problem

When the aggregated data view limit is reached, graphs and reports generate the error: The aggregated data view could not be created due to an aggregated limit.

Diagnosing The Problem

Aggregated data views are accumulation buckets of data that is used to generate reports and dashboards. These are based on saved searches that accumulate the data regularly in the background. In QRadar, there is a limit to the number of aggregated data views that are allowed in QRadar for performance reasons. In QRadar 7.3 and later, the 300 aggregated data views are allowed.

In QRadar version 7.3 and greater, you can see the number of views being used by the Console. Administrators with users who report this issue should review the number of aggregated data views being used in QRadar. The administrator is responsible to determine whether there are specific aggregated data views that can be disabled either due to defaults not being used or overlapping searches that reuse similar data. Many times there is a default view in use that people are not aware of or does not need.

To determine the number of aggregated data views currently being used, the administrator must log in to QRadar and manage the number of views that are enabled on the system.

Procedure

  1. Go to the Admin tab.
  2. Click Aggregated Data Management.
  3. Review the user interface to determine the number of aggregated data views that are currently enabled. For example, Using xxx of 300 total aggregated data views.

    image 12514

     

Resolving The Problem

If you have reached the total number of aggregated data views, delete the unnecessary views by using these steps:
  1. Log in to the QRadar user interface as an administrative user.
  2. Click the Admin tab.
  3. Click the Aggregated Data Management icon.
  4. Find views that are enabled which can be deleted by using one of the following criteria Report Name, Chart Name, Saved Search Name, or Times Searched field.

  5. Select a view.
  6. Select one of the following options:
    1. Disable View - (Recommended). Disabling an aggregated data view leaves the data intact for historical searches and reports that users might need to run against existing aggregated data, but new information is not accumulated for the view. This option in essence keeps the view stuck at the current state when disabled and reduces the used aggregated data view count by one from the maximum view limit.

      image 12515
    2. Delete View - Deleting an aggregated data view removes any existing data accumulated and reduces the aggregated data view count.

      image 12516
  7. Optional. Users can review the list of QRadar dependencies (searches, reports, dashboards) displayed to understand what searches or reports might not display graphs due to removed aggregated data.
  8. Click OK.


Results
New searches that are generated by users re-create aggregated data values in QRadar.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtIAAQ","label":"Dashboard"},{"code":"a8m0z000000cwtmAAA","label":"Reports"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
09 December 2021

UID

swg21690762

Page Feedback